b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\n  Subject:\n\n\n\n\n               AUDIT OF INFORMATION SYSTEMS\n            GENERAL AND APPLICATION CONTROLS AT\n                         AETNA INC.\n\n\n                                            Report No. 1C-22-00-12-065\n\n                                            Date:               March 18, 2013\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                     CONTRACTS 2900, 2867, 2914 & 1766\n                                                         AETNA INC.\n                            PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U\n                                            WQ / C3 / HY / P1 / P3 / UB\n                                        HARTFORD, CONNECTICUT\n\n\n\n                                            Report No. 1C-22-00-12-065\n                                                                03/18/13\n                                            Date:\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                 CONTRACTS 2900, 2867, 2914 & 1766\n                                         AETNA INC.\n                    PLAN CODES 22 / JN / 2X / JC / HF / JR / 2U\n                                WQ / C3 / HY / P1 / P3 / UB\n                             HARTFORD, CONNECTICUT\n\n\n\n                               Report No. 1C-22-00-12-065\n\n                               Date:          03/18/13\n\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at Aetna Inc. (Aetna or Plan). Aetna has two separate plans that service\nfederal employees: a Health Maintenance Organization plan (HMO) referred to as \xe2\x80\x9cOpen\nAccess\xe2\x80\x9d and an individual practice plan with a consumer driven health plan option and a high\ndeductible health plan option referred to as the \xe2\x80\x9cHealthFund.\xe2\x80\x9d\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for Aetna, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nAetna has established a series of IT policies and procedures to create an awareness of IT security\nat the Plan. We also verified that Aetna has adequate human resources policies related to the\nsecurity aspects of hiring, training, transferring, and terminating employees.\n\n\n\n\n                                                  i\n\x0cAccess Controls\nAetna has implemented numerous controls to grant and remove physical access to its data center,\nas well as logical controls to protect sensitive information. We also noted various controls over\nphysical access to the data centers, as well as the method for encrypting emails containing\nsensitive information.\n\nNetwork Security\nAetna has developed thorough network security policies and procedures around its entire\noperating environment. We also noted numerous hardening controls around the internal network\nand that Aetna conducts routine configuration reviews. Aetna\xe2\x80\x99s incident response policies and\nprocedures are comprehensive and utilize software packages for incident correlation.\n\nConfiguration Management\nAetna has developed formal policies and procedures that provide guidance to ensure that system\nsoftware is appropriately configured and updated, as well as for controlling system software\nconfiguration changes. However, we noted several weaknesses in Aetna\xe2\x80\x99s configuration\nmanagement program related to system configuration auditing and vulnerability scanning\nmethodology. Aetna is working to implement the necessary changes for the identified\nvulnerabilities.\n\nContingency Planning\nWe reviewed Aetna\xe2\x80\x99s business continuity plans and concluded that they contained the key\nelements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed and updated on a periodic basis.\n\nClaims Adjudication\nAetna has implemented many controls in its claims adjudication process to ensure that FEHBP\nclaims are processed accurately. However, we noted several weaknesses in Aetna\xe2\x80\x99s claims\napplication controls.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that Aetna is not in compliance with the\nHIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                ii\n\x0c                                                                Contents\n                                                                                                                                             Page\nExecutive Summary ......................................................................................................................... i\n I. Introduction ............................................................................................................................... 1\n     Background ............................................................................................................................... 1\n     Objectives ................................................................................................................................. 1\n     Scope ......................................................................................................................................... 2\n     Methodology ............................................................................................................................. 2\n     Compliance with Laws and Regulations................................................................................... 3\n II. Audit Findings and Recommendations .................................................................................... 4\n      A. Security Management ........................................................................................................ 4\n      B. Access Controls .................................................................................................................. 4\n      C. Network Security................................................................................................................ 4\n      D. Configuration Management ............................................................................................... 5\n      E. Contingency Planning ........................................................................................................ 9\n      F. Claims Adjudication ......................................................................................................... 10\n      G. Health Insurance Portability and Accountability Act ...................................................... 14\n III. Major Contributors to This Report ....................................................................................... 16\n     Appendix: Aetna\xe2\x80\x99s December 19, 2012 response to the draft audit report issued October 31,\n               2012.\n\x0c                                       I. Introduction\n\nThis draft report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims by Aetna Inc. (Aetna or Plan).\n\nThe audit was conducted pursuant to FEHBP contracts CS 2900, CS 2867, CS 2914, and CS\n1766; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The\naudit was performed by the U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Office of the\nInspector General (OIG), as established by the Inspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our second audit of Aetna\xe2\x80\x99s general and application controls. The first audit was\nconducted in 2001, and all recommendations from that audit were closed prior to the start of the\ncurrent audit. We also reviewed Aetna\xe2\x80\x99s compliance with the Health Insurance Portability and\nAccountability Act (HIPAA).\n\nAll Aetna personnel that worked with the auditors were helpful and open to ideas and\nsuggestions. They viewed the audit as an opportunity to examine practices and to make changes\nor improvements as necessary. Their positive attitude and helpfulness throughout the audit was\ngreatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in Aetna\xe2\x80\x99s IT environment.\nWe accomplished these objectives by reviewing the following areas:\n \xe2\x80\xa2   Security management;\n \xe2\x80\xa2   Access controls;\n \xe2\x80\xa2   Configuration management;\n \xe2\x80\xa2   Segregation of duties;\n \xe2\x80\xa2   Contingency planning;\n \xe2\x80\xa2   Application controls specific to Aetna\xe2\x80\x99s claims processing systems; and,\n \xe2\x80\xa2   HIPAA compliance.\n\n\n\n\n                                                  1\n\x0cScope\nThi s performance audit was co nducted in accorda nce with gene rally acc epte d gove rnment\naudi ting standa rds issued by the Co mptroller General of the United States. Accordingly, we\nobta ined an understanding of Ae tna \'s intern al co ntrols through interviews and observations, as\nwe ll as inspec tion of various doc uments, includi ng information technology and other re lated\norganizational polic ies and procedures. Thi s understanding of Aetna \'s interna l controls was used\nin planning the audi t by de termining the extent of compliance testing and other auditing\npro cedures necessary to verify that the internal co ntro ls we re properly designed , placed in\noperation, and effec tive.\n\nAe tna has two separate plans that servi ce fed eral employee s : a Health Ma intena nce Orga niza tion\nplan (HM O) referred to as "Open Access" and an individual practice plan with a co nsumer\ndrive n health plan option and a high deductib le health plan option re ferre d to as the\n"Hea lthfund ."\n\nThe scope of thi s audi t ce ntered on the informati on systems used by Ae tna to process medical\ninsur ance cla im s for FEHBP members, with a primary focus on the cla im~\na licati ons. Two se ara te s stems are used to process cla ims at Ae tna : _\n                                  s stem adiudica tes cla ims for the Open Access plan and the\n                                                      adj udica tes cla im s for the Healthfund . The\nbusin ess processes reviewed are primaril y located in Aetna \'s Hartford . Connecticut facilities.\n\nThe on-site portion of thi s audi t wa s perfonned in Jul y and Augu st of 20 12. We co mpleted\nadditional audi t work before and after the on-site visit at our office in Wa shington, D .C. The\nfindi ngs , recommendations, and conclusions outlined in thi s rep ort are based on the status of\ninformation system general and applica tion contro ls in place at Ae tna as of Sep tember 20 12.\n\nIn co nducting our audit, we relied to varyi ng degrees on computer-ge ne rated da ta provided by\nAe tna . Due to time co nstra ints, we did not verify the reliabili ty of the da ta used to co mplete\nsome of our audi t steps but we de termi ned tha t it wa s adequate to achie ve our audit obj ectives.\nHowever, whe n our objective wa s to assess computer-gene rated da ta, we co mpleted audit steps\nnecessary to obtain evidence that the da ta was valid and reliabl e.\n\nMethodologv\n\nIn co nducting thi s review we:\n\n\xe2\x80\xa2\t   Gathe red documen tation and co nducted intervi ews;\n\xe2\x80\xa2\t   Revi ewed Ae tna \'s business structur e and environment ;\n\xe2\x80\xa2\t   Performed a risk assessment of Aetna \' s informati on systems environmen t and applica tions,\n     and prep ared an audit program based on the assessment and the Go ve nunent Acc ountability\n     Office \' s (GAO) Federal Information System Controls Audit Ma nua l (FISCAM); and,\n\xe2\x80\xa2\t   Conducted va rious co mpliance tests to de term ine the extent to which established co ntro ls and\n     pro cedures are functioning as intended . As appro pr iate, we used j udgmenta l sampling in\n     completing our compliance testing.\n\n\n\n                                                   2\n\x0cVarious laws, regulations, and industry standards were used as a guide to evaluating Aetna\xe2\x80\x99s\ncontrol structure. These criteria include, but are not limited to, the following publications:\n\xe2\x80\xa2   Title 48 of the Code of Federal Regulations;\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s FISCAM;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and,\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether Aetna\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nAetna was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings and\nRecommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                     II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of Aetna\xe2\x80\x99s overall IT security controls. We evaluated Aetna\xe2\x80\x99s\n  ability to develop security policies, manage risk, assign security-related responsibility, and\n  monitor the effectiveness of various system-related controls.\n\n  Aetna has implemented a series of formal policies and procedures that comprise its security\n  management program. Aetna\xe2\x80\x99s Information Security Committee is responsible for creating,\n  reviewing, editing, and disseminating IT security policies. Aetna has also developed a thorough\n  risk management methodology, and has procedures to document, track, and mitigate or accept\n  identified risks. We also reviewed Aetna\xe2\x80\x99s human resources policies and procedures related to\n  hiring, training, transferring, and terminating employees.\n\n  Nothing came to our attention to indicate that Aetna does not have an adequate security\n  management program.\n\nB. Access Controls\n  Access controls are the policies, procedures, and techniques used to prevent or detect\n  unauthorized physical or logical access to sensitive resources.\n\n  We examined the physical access controls at Aetna\xe2\x80\x99s headquarters building and its data centers.\n  We also examined the logical controls protecting sensitive data on Aetna\xe2\x80\x99s network environment\n  and claims processing applications.\n\n  The access controls observed during this audit include, but are not limited to:\n  \xe2\x80\xa2   Procedures for appropriately granting physical access to facilities and data centers;\n  \xe2\x80\xa2   Procedures for revoking access to data centers for terminated employees;\n  \xe2\x80\xa2   Procedures for removing Windows/network access for terminated employees; and,\n  \xe2\x80\xa2   Controls to monitor and filter email and Internet activity.\n\n  Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n  related to access controls.\n\nC. Network Security\n  Network security includes the policies and controls used to prevent or monitor unauthorized\n  access, misuse, modification, or denial of a computer network and network-accessible resources.\n\n  Aetna has documented thorough and complete network infrastructure diagrams. Aetna has\n  implemented a comprehensive firewall architecture in its network, and conducts routine\n  configuration reviews of these devices. Aetna\xe2\x80\x99s incident response policies and procedures are\n  comprehensive, and they have utilized software packages for incident correlation.\n\n                                                   4\n\x0c  Nothing came to our attention to indicate that Aetna does not have an adequate network security\n  program .\n\nD. Configuration l\\lanagement\n  Aetna uses two clai ms adjudication app lications to process FEHBP cla ims: _       for the Open\n  Acc ess plan and .      for the Healthfund. These applications are housed in a mainframe\n  environme nt. We eva luated Aetna \' s management of the configuration of the mainfram es and the\n  support ing                  environme nt and determined that the following controls were in\n  place:\n  \xe2\x80\xa2   Documented and approved server and workstation builds;\n  \xe2\x80\xa2   Controls for mon itorin g privileged user act ivity on the operating platform ; and,\n  \xe2\x80\xa2   Thorou gh change management procedures for system software and hardware.\n\n  The sections below doc ument areas for improvement re lated to Aetna \'s configura tion\n\n  management controls.\n\n\n  1. Routine System C onfigur at ion Auditing\n\n      Aetna maintain s an approved baseline configuration for its mainframe security software. In\n      the fieldwork phase of our audit, we found that routine compliance audit ing was not a forma l\n      process and wa s not documented w ithin Aetna \' s security policie s and procedure s. Since\n      then, Aetna has implem ented a formal process for routine mainframe system configu ration\n      auditing and has doc umented the procedure s within an approved security policy.\n\n      Aetna utili zes an approved standard build for all                       Before a\n      is moved from the test enviro mne nt to produ ction , a one-time review is conducted to ensure\n      configuration settings are compliant with the anorooved build. However , there is currently no\n      ongo ing/ro utine comp liance chec k to ensure          onfigurations continue to remain in\n      comp liance with approved build sheets after           impl ement ation.\n\n      NIST SP 800-53 Revision 3 states that an organization must monitor and contro l changes to\n      the configura tion settings in acco rdance with organizational policies and procedures.\n      FISCA1v1 also requ ires that current configuration information be routinely monitored for\n      accuracy. Monitoring should address the baseline and operational configuration of the\n      hardware, software, and firm ware that comprise the information system .\n\n      Failure to routine ly monitor the system configuration increases the risk the system may not\n      meet security and performance requir ements define d in the established documentation .\n\n\n\n\n      0_\n      Recommendation 1\n      We recommend that Aetna impl ement a methodology to routine ly monitor the configura tion\n                          to the approved build document ation.\n\n\n\n                                                     5\n\n\x0c   Aetna Respom;e:\n   "A etna will implem ent a methodology that includes:\n       \xe2\x80\xa2 Establish configuration baselines\n       \xe2\x80\xa2 Schedule scans to determine deviation from baseline\n       \xe2\x80\xa2 Establish a risk based approach for remediation ofconfiguration deviations\n\n   Closure ETA : kJallagemellt has presented all issue closure pian by 01/31/2013._\n\n\n   DIG Reply:\n   As pa rt of the audit resolution process, we recomme nd that Aetna provide OPM \' s Healthcare\n   and Insurance Office (HID) with evidence that configuration baselines have been established,\n   scans have been conducted, and deviations have been remediated.\n\n2. Vulnerability Scanning\n\n   a. Full-scope Vulnerability Sca nn in g\n      Aetna conducts per iodic vulnerability scans on its information systems using automated\n      tools, and contracts a third party vendor to conduct external scans. Aetna scans several\n      s ecific                   on a weeki basis, but ani scans the rema inder\n                                                                                    on an\n                                                                                 erstand that it\n      may be unreasonable for Aetna to frequently scan its entire environment. However, we\n      were not able to independently confirm whether                  had ever bee n subject to\n      previous vulnerability scans .\n\n\n\n\n      Recommendation 2\n      \\Ve recommend that Aetna implement a process to conduct routine vulnerability scans on\n      its entire _ enviromne nt.\n\n      Aetna Response:\n      "Aetna currently utilizes a risk based approach ill supp ort ofcompleting vuln erability\n      assessm ents byfocusing its scanning resources to high risk environments. A s a result,\n      th ese environments are scanned with sigulflcant rigor by both Aetna and externally\n      contracted partners. Currently, Aetna \'s int ernal trusted network is sub iected to anuuat\n      and ad hoc assessm ents that scan                                            and provide\n      results with remediation advice to the system owners responsible for remediation.\n\n\n                                               6\n\n\x0c   To evolve A etna\'s strategic vulnerability management program in 2012, the investm ent\n  of deploying a scanning technology f ram ework across th e enterp rise was achieved.\n  Aetna\'s strategic vision ofits vulnerability managem ent program furth er evolved in\n  2012 due to the integration effort ofthe scanning infrastructure into the IT GR C\n  (Governance, Risk and Comp liance) tool. Integrating vuln erability scan results into\n  th e IT GR C tool will provide increased risk managem ent oversight/or remediation and\n  prioritization. This new vulnerability managem ent program will establish a strategic\n  foundation f or finding s management and remediation workflow by p roviding data to\n  assess and deploy tim ely patches across the enterprise... This accomplishment will\n  allow/or the management ofmore frequent scanning and drive tim ely imp lementation\n  ofsystem patches.\n\n   Aetna will implem ent a m ethodology that includes:\n   \xe2\x80\xa2\t Aetna has contin ue d to exp and its vulnerability managem ent program to oth er\n      en viron ments with the solutio n ill place as 0/1/31/201[3].\n   \xe2\x80\xa2\t To complete the migration ofits strate ic l\'ulllerability managem ent program,\n      Aetna is sch eduled to include all                 within the Internal Trusted network\n                      "\n   DIG Reply:\n   As pa rt of the audit resolution process, we recomme nd that Aetn a provide OPM \' s lila\n   with evidence that vulnerab ility scans are routinely conducted on the entire .\n   environment.\n\nb.\t System Patching\n   Aetna has documented\n   of am\n\n\n   FISCAM states that " Software should be scanned and u\n   known vulnerabilities."\n\n                                                Flaws discovered during security\n   assessments, continuous monitoring, incident response activities, or information system\n   error handling, are also addressed expedi tiously."\n\n   Although the servers we scanned are rotected b firewalls and other\n   technolo .es,\n                                                                          tlililiiiil\n                                               sensitive information could be stolen.\n\n   Re commendation 3\n\n\n\n\n                                            7\n\n\x0c   Aetna Respom;e:\n   "A etna will continue to evolve its enterprise vulnerability management program,\n   enabling more stringent oversight and connnuuication with system oWllers on\n   vuln erabilityfindings and remediation expectations.\n\n   A etna will implement a methodology that includes:\n   \xe2\x80\xa2\t R eview ofcurr~ patching process to identify gaps\n   \xe2\x80\xa2\t Refinement o ~ tchillg pro cess\n   \xe2\x80\xa2\t Post-implementation scan to ensure successf ul completion ofupgrades\n\n\n\n   DIG Replv:\n   As pa rt of the audit resolution process, we reco mme nd that Aetna rovide OPM \' s HID\n   with evidence of its im roved methodolo to ensure that                       are installed\n   with appropriate\n\nc.\t Noncu r r ent Softw are\n   The results of our vulnerability scans indi cated that            s contai ned uoncurreut\n   software applications that were no longer support ed by the vendors and may have know n\n   security vulnerabilities.\n\n   FISCA1v1 states that "Procedures should ensure that only current software releases are\n   installed in information systems . Noncurrent software may be vulnerable to malicious\n   code such as viruses and worms."\n\n   Fail ure to promptly remove outdated software increases the risk of a successful malicious\n   attack on the information system .\n\n   Recommendation 4\n   We recommend that Aetna implement a methodology to e~ent and\n   support ed versions of system software are installed on t h e _\n\n   A etna Respom;e:\n   "A etna will implem ent a methodology that includes:\n   \xe2\x80\xa2\t Review ofcurr~ software patching pro cess to identify gaps\n   \xe2\x80\xa2\t R efinement o~twarepatching pro cess\n   \xe2\x80\xa2\t Schedule ofscans\n   \xe2\x80\xa2\t Establish a risk based approach for remediation ofnou-current and unsupported\n       software\n\n   Closure ETA: Management has submitted an issue closure plan by 01/31/2013.\n   Closure target date was presented as part ofth e closure plan,"\n\n                                           8\n\n\x0c         DIG Reply:\n         As part of the audit resolution process, we recommend that Aetna provide OP1.1\'s HID\n         with evidence of its improved methodology to e~ent and supported\n         versions of system software are installed a ll the _\n\n      d. Unnecessary Applications\n         The results of om vulne rab ili   scans indi cated that               contained third-party\n         applica tions                             that were not likely essential to the fun ctionality\n         of that serv er.\n\n         NIST SP 800 -53 Revision 3 states that the orga niza tion should configu re the information\n         system to provide only essential capabilities. An organization should also revi ew the\n         information system to identify and elimina te unnecessary functions.\n\n         Installing unnecessary software to an information system can increase the amount of\n         exposed vulnerabilities and methods an intrud er can use to gain unauthorized acce ss to\n         the system.\n\n         Recommendation 5\n         We recommend that Aetna revi ew i t~lfi gurati on to ensure that only\n         necessary software is installed on its _\n\n         Aetna Response:\n\n         "Aetna will implement a methodology that includes:\n\n         \xe2\x80\xa2 Schedule ofscans to identify unnecessary software installations\n         \xe2\x80\xa2 Establish a risk based approach for removal ofunnecessary sof tware.\n\n         Closure ETA: Management has presented all issue closure piau by 01/31/2013.\n         Closure target date was presented as part ofthe closure plan."\n\n         DIG Replv:\n         As part of the audit resolution process, we reco mme nd that Aetna provide OPM \' s lila\n         with evidence ~hodology to ensure that only necessary softw are is\n         installed on its _\n\nE. Contingency Planning\n  We reviewed the following elements of Aetna \' s contingency planning pro gram to determi ne\n  whether controls were in place to prevent or minimize inrenuptions to business operations when\n  disastrou s events occur :\n  \xe2\x80\xa2   Disaster response plan;\n  \xe2\x80\xa2   Business continuity plan for data center opera tions;\n  \xe2\x80\xa2   Business continuity plans for claims pro cessing operations and claim s support;\n  \xe2\x80\xa2   Disaster recovery plan tests conduc ted in conjunction with the altemate data center; and,\n                                                    9\n\x0c  \xe2\x80\xa2\t Emergency response procedures and training.\n\n  We determined that the service continuity documentation contained the critical elements\n  suggested by NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for IT Systems.\xe2\x80\x9d Aetna has\n  identified and prioritized the systems and resources that are critical to business operations, and\n  has developed detailed procedures to recover those systems and resources.\n\n  Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n  related to contingency planning.\n\nF. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  Aetna\xe2\x80\x99s claims adjudication process.\n\n  1.\t Application Configuration Management\n     We evaluated the policies and procedures governing application development and change\n     control of Aetna\xe2\x80\x99s claims processing systems.\n\n     Aetna has implemented policies and procedures related to application configuration\n     management, and has adopted a system development life cycle methodology that IT\n     personnel follow during routine software modifications. We observed the following controls\n     related to testing and approvals of software modifications:\n     \xe2\x80\xa2\t Aetna has adopted practices that allow modifications to be tracked throughout the change\n        process;\n     \xe2\x80\xa2\t Code, unit, system, and quality testing are all conducted in accordance with industry\n        standards; and,\n     \xe2\x80\xa2\t Aetna uses a business unit independent from the software developers to move the code\n        between development and production environments to ensure adequate segregation of\n        duties.\n\n    Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n    related to the application configuration management process.\n\n  2.\t Claims Processing System\n     We evaluated the input, processing, and output controls associated with Aetna\xe2\x80\x99s claims\n     processing systems. We determined that Aetna has implemented policies and procedures to\n     help ensure that:\n     \xe2\x80\xa2\t Paper claims that are received in the mail room are tracked to ensure timely processing;\n     \xe2\x80\xa2\t Claims are monitored as they are processed through the systems with real time tracking\n        of the system\xe2\x80\x99s performance; and,\n     \xe2\x80\xa2\t Claims scheduled for payment are actually paid.\n\n     Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n     over the claims processing system.\n                                                   10\n\x0c3. Enrollment\n   We evaluated Aetna\xe2\x80\x99s procedures for managing its database of member enrollment data.\n   Electronic enrollment data is processed weekly and paper files are processed daily. Aetna\n   has a reconciliation process to ensure all data that was sent to the plan was received and\n   processed.\n\n   Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n   over the enrollment process.\n\n4. Debarment\n   Aetna has adequate procedures for updating its claim processing systems with debarred\n   provider information and routinely audits its debarment database for accuracy.\n\n   Aetna downloads the OPM OIG debarment list every month and compares the data to its\n   provider database. Debarred providers that are a direct match to the debarment list are\n   automatically terminated from the provider database. A manual review is conducted for all\n   partial matches to ensure that all debarred providers are appropriately terminated.\n\n   Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n   over the debarment process.\n\n5. Special Investigations and Fraud\n   We evaluated the Aetna policies and procedures governing special investigations and fraud.\n   We determined that Aetna has substantial policies and procedures in place to detect, manage,\n   and report fraud.\n\n   Nothing came to our attention to indicate that Aetna has not implemented adequate controls\n   over its special investigations and fraud unit.\n\n6. Application Controls Testing\n   We conducted a test on Aetna\xe2\x80\x99s claims adjudication applications to validate the systems\xe2\x80\x99\n   processing controls. The exercise involved processing test claims designed with inherent\n   flaws and evaluating the manner in which Aetna\xe2\x80\x99s systems adjudicated the claims. Test\n   claims were submitted to the         system for the Open Access plan and          for the\n   HealthFund.\n\n   Our test results indicate that both systems have controls and system edits in place to identify\n   the following scenarios:\n   \xe2\x80\xa2 Invalid members and providers;\n   \xe2\x80\xa2 Member eligibility;\n   \xe2\x80\xa2 Gender;\n   \xe2\x80\xa2 Timely filing; and,\n   \xe2\x80\xa2 Catastrophic maximum.\n\n\n                                                11\n\x0cThe sections below document oppo rtunities for imp rovement related to Aetna \' s claim s\napplication controls.\n\na. Benefit Structure Inconsistency\n   We submitted test cla ims into _ for                           The claims were\n   processed and a $ 15 dollar copay was applied . However. according to the Aetna Open\n   Acc ess 20 12 benefit brochure , the copay for _                should be $35 . Aetna\n   confirmed that the copay amo unt was loade d ~ctly, but only for th e\n   state of Delaware, and has since correc ted the error.\n\n   We also entered two test claims for a               within the same year. Both of\n   these cla ims were processed ~ever, the Aetna Open Access 20 12 benefit\n   brochure restricts coverage ot _      to one time per year.\n\n   Recommendation 6\n   \\Ve recommend that Aetna conduct a review o~ setting s to ensure the application\n   properly refl ects the benefits defined in the Aetna Open Access benefit brochure.\n\n   Aetna Response:\n   "Going forward, when Aetna is notified of a new state mandate the HillO Product\n   Admin team will be sent a list of all groups with plans in that particular state. The\n   team will scan the list for the federal plans and remove them from the list.\n   III the unlikely instance that a plan participant would receive more tlmn olle _\n                   ill a year, due to system limitations, Aetna \'s H,UO system does not have\n   the ability to limit to thisfrequen~l the planned migration offof Hi.110 to\n   A etna\'s strategic claim platform _           there is 1I0t anticipated inve stment in\n   enhancements to the legacy platform."\n\n   DIG Reply:\n   We believe that the recommendation should remain open until Aetna provide s OPM \'s\n   HIO with evidence that the _ has been upd ated to correc t the defi~r that the\n   plan has success fully migrated all FEHBP claims processing activity to _\n\nb. Provider/Procedure Inconsistency\n   We entered test claims for ~rul ing a\n\n   and _       Despite the fa~r is not licensed to\n\n   claim was processed without enco untering any edit s.\n\n\n   We also entered test claim s for a ~erforulin                                  Aga in, the\n   claim s were inappropriately p roc~ and                            systems without\n   enco unteri ng any edits.\n\n   Aetna stated that its system s are not configured to compare the _ to the\n                          to identi fy inconsistencies. Aetna assume~\n                                            12\n\x0c   provider is billing a service,                                      and that they are indeed\n   actively licensed in that state. Aetna\xe2\x80\x99s Special Investigations Unit is responsible for\n   detecting instances of providers who are billing                                    . While\n   we acknowledge that a medical doctor legally can perform any medical procedure\n                                             ), the providers in our test claims were not\n   medical doctors.\n\n   Although Aetna\xe2\x80\x99s SIU is tasked with detecting instances of providers billing outside the\n   scope of their license, this process can be improved by utilizing preventive controls\n   within the claims processing system.\n\n   Recommendation 7\n   We recommend that Aetna make the appropriate system modifications to prevent\n   medically inconsistent claims from processing.\n\n   Aetna Response:\n   \xe2\x80\x9cAetna has carefully reviewed this issue and based on a significantly extensive activity\n   to implement such a solution for what would [be] considered a highly unlikely event,\n   Aetna will continue to place reliance on the downstream SIU process.\xe2\x80\x9d\n\n   OIG Reply:\n   We disagree with Aetna\xe2\x80\x99s position and continue to recommend that Aetna modify its\n   claims processing system to prevent medically inconsistent claims from processing. We\n   believe that preventive medical editing controls are much more efficient and effective\n   than reactive controls, such as relying on the SIU to recoup inappropriately billed claims.\n\nc. Procedure Code Billing Guidelines Not Enforced\n   We entered two separate test claims for                                    with multiple\n   service dates within a span of 30 days. All of these services were paid without\n   encountering edits in           However, according to the American Medical Association,\n   this procedure code is only allowed to be billed once every 30 days.         was able to\n   recognize the procedure code inconsistency and appropriately denied all but one claim\n   line that occurred within the 30 day time span.\n\n   Recommendation 8\n   We recommend that Aetna make the appropriate system modification to enforce proper\n   procedure code billing guidelines.\n\n   Aetna Response:\n   \xe2\x80\x9cA system enhancement was implemented November 10, 2012 which is now denying\n   services for this scenario. Evidence has been provided to the OIG to demonstrate\n   closure.\xe2\x80\x9d\n\n\n\n                                            13\n\x0c         OIG Reply:\n         The evidence provided by Aetna in response to the draft audit report indicates that the\n         Plan has made the appropriate system modification to enforce proper procedure code\n         billing guidelines; no further action is required.\n\n     d. Near Duplicate\n         We submitted two separate test claims into         with an identical patient, procedure\n         code, diagnosis code, date of service and billed amounts; the only difference between the\n         two claims was the provider. These claims processed without encountering any edits and\n         paid both providers the same amount.\n\n         Due to the similarity of these claims, we expected the second claim to be deferred by a\n         suspected duplicate edit so that a claims processor could determine if the claim was\n         submitted correctly.\n\n         Recommendation 9\n         We recommend that Aetna implement controls to prevent near duplicate claims from\n         processing.\n\n         Aetna Response:\n         \xe2\x80\xa2   \xe2\x80\x9cA recommendation for revision to our duplicate editing logic will be presented\n             internally to our policy area for review.\n         \xe2\x80\xa2   The recommendation will be presented to the policy council at their March\n             meeting. Target date: 3/30/13\n         \xe2\x80\xa2   Any additional management action plans will be reviewed with the OIG based upon\n             the review committees decision.\xe2\x80\x9d\n\n         OIG Reply:\n         As part of the audit resolution process, we recommend that Aetna provide OPM\xe2\x80\x99s HIO\n         with evidence that the claims processing system has been modified to prevent near\n         duplicate claims from processing.\n\nG. Health Insurance Portability and Accountability Act\n  We reviewed Aetna\xe2\x80\x99s efforts to maintain compliance with the security and privacy standards of\n  HIPAA.\n\n  Aetna has implemented a series of IT security policies and procedures to adequately address the\n  requirements of the HIPAA security rule. Aetna has also developed a series of privacy policies\n  and procedures that directly addresses all requirements of the HIPAA privacy rule. Aetna\n  reviews its HIPAA privacy and security policies annually and updates when necessary. Aetna\n  has designated a Privacy Official who has the responsibility of ensuring compliance with HIPAA\n  Privacy and Security policies. Each year, all employees must complete Aetna\xe2\x80\x99s \xe2\x80\x9cBusiness\n\n\n                                                 14\n\x0cConduct and Integrity\xe2\x80\x9d training course. This training encompasses HIPAA regulations as well as\ngeneral compliance.\n\nNothing came to our attention that caused us to believe that Aetna is not in compliance with the\nvarious requirements of HIPAA regulations.\n\n\n\n\n                                               15\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                     , Senior Team Leader\n\xe2\x80\xa2                        , Auditor-In-Charge\n\xe2\x80\xa2               , Lead IT Auditor\n\xe2\x80\xa2                   , IT Auditor\n\n\n\n\n                                               16\n\x0c                                              Appendix\n\n\n                                                                               Aet na Inc.\n\n                                                                               151 Farmington Avenue\n\n                                                                               Hartford, CT 06156\n\n\n\n                                                                               - " Manager\n                                                                               Aetna Information Systems\n\n\n\n\n.-\nDecember 19 , 20 12\n\n\n\nInfonnation Systems Aud its Group\nU.S. Office of Inspector Gene ral\n\n1900 E Street, NW - Room 6400\n\nW ashington, D.C. 204 15-1100\n\n\nRE: Aetna \'s respon se to Draft Report No .1 C-22-00- 12-065\n\n\n\n        Aetna submits the following response to the above-referenced Draft Aud it Report issued by the\nOffice of Person nel Ma nagement (O PM) Office of the Inspe ctor General (D IG) unde r the Federal\nEmployees Health Benefits Program (FEHBP) . The aud it covered the gene ral and applicati on controls\nover the automated claims processing systems and other computer-based systems at Aetna .\n\n          Enclosed you will find two copies of the Draft Repo rt. The first attachment is labeled "Aetna\'s\nCo mments to the Draft Report" and the second attachment is labeled "Proposed Redact ions" . Aetna has\nresponded to all of a lG\'s recommendations and has included a proposed timetable fo r completion in the\nfirst attachment. The second attachment includes Aet na\'s response to the Draft Report with prop osed\n\n\n\n                                                                                              at_\nredactions. Aet na respectfully requests a lG to implement the prop osed redactions prior to the Final\nReport\'s posting on the a lG website under the Freedom of Information Act.\n\n        If you have an questions or concerns about our respon se, please feel to contact me\n\n\n\nSincerely,\n\n\n\n\n                          , Senior Vice Pres ident, Aetna Federal Plans\n\n                   ret, nfonnation Systems Audits Group\n\n               nderwr iting Head of Aetna Federal Plans\n\n\x0cRecommendation 1\nAetna will implement a methodology that includes:\n       \xe2\x80\xa2 Establish configuration baselines\n       \xe2\x80\xa2 Schedule scans to determine deviation from baseline\n       \xe2\x80\xa2 Establish a risk based approach for remediation of configuration deviations\n\nClosure ETA: Management has presented an issue closure plan by 01/31/2013.\n1\n\nRecommendation 2\nAetna currently utilizes a risk based approach in support of completing vulnerability assessments by\nfocusing its scanning resources to high risk environments. As a result, these environments are scanned\nwith significant rigor by both Aetna and externally contracted partners. Currently, Aetna\xe2\x80\x99s internal trusted\nnetwork is subjected to annual and ad hoc assessments that scan a sample of Aetna\xe2\x80\x99s\nand provide results with remediation advice to the system owners responsible for remediation.\nTo evolve Aetna\xe2\x80\x99s strategic vulnerability management program in 2012, the investment of deploying a\nscanning technology framework across the enterprise was achieved. Aetna\xe2\x80\x99s strategic vision of its\nvulnerability management program further evolved in 2012 due to the integration effort of the scanning\ninfrastructure into the IT GRC (Governance, Risk and Compliance) tool. Integrating vulnerability scan\nresults into the IT GRC tool will provide increased risk management oversight for remediation and\nprioritization. This new vulnerability management program will establish a strategic foundation for findings\nmanagement and remediation workflow by providing data to assess and deploy timely patches across the\nenterprise... This accomplishment will allow for the management of more frequent scanning and drive\ntimely implementation of system patches.\nAetna will implement a methodology that includes:\n          \xe2\x80\xa2 Aetna has continued to expand its vulnerability management program to other environments\n              with the solution in place as of 1/31/201[3].\n          \xe2\x80\xa2 To complete the migration of its strategic vulnerability management program, Aetna is\n              scheduled to include all                 within the Internal Trusted network by\n\nRecommendation 3\nAetna will continue to evolve its enterprise vulnerability management program, enabling more stringent\noversight and communication with system owners on vulnerability findings and remediation expectations.\n\n    Aetna will implement a methodology that includes:\n        \xe2\x80\xa2 Review of current                   patching process to identify gaps\n        \xe2\x80\xa2 Refinement of                   patching process\n        \xe2\x80\xa2 Post-implementation scan to ensure successful completion of upgrades\n\nClosure ETA:\n\nRecommendation 4\nAetna will implement a methodology that includes:\n       \xe2\x80\xa2 Review of current                      software patching process to identify gaps\n       \xe2\x80\xa2 Refinement of                      software patching process\n       \xe2\x80\xa2 Schedule of scans\n       \xe2\x80\xa2 Establish a risk based approach for remediation of non-current and unsupported software\n\nClosure ETA: Management has submitted an issue closure plan by 01/31/2013. Closure target date\nwas presented as part of the closure plan.\n\x0cRecommendation 5\nAetna will implement a methodology that includes:\n       \xe2\x80\xa2 Schedule of scans to identify unnecessary software installations\n       \xe2\x80\xa2 Establish a risk based approach for removal of unnecessary software.\n\nClosure ETA: Management has presented an issue closure plan by 01/31/2013. Closure target date was\npresented as part of the closure plan.\n\nRecommendation 6\nGoing forward, when Aetna is notified of a new state mandate the HMO Product Admin team will be sent\na list of all groups with plans in that particular state. The team will scan the list for the federal plans and\nremove them from the list.\n\nIn the unlikely instance that a plan participant would receive more than one routine mammogram in a\nyear, due to system limitations, Aetna\xe2\x80\x99s HMO system does not have the ability to limit to this frequency.\nWith the planned migration off of HMO to Aetna\xe2\x80\x99s                                    there is not anticipated\ninvestment in enhancements to the legacy platform.\n\nRecommendation 7\nAetna has carefully reviewed this issue and based on a significantly extensive activity to implement such\na solution for what would is considered a highly unlikely event, Aetna will continue to place reliance on the\ndownstream SIU process.\n\nRecommendation 8\nA system enhancement was implemented November 10, 2012 which is now denying services for this\nscenario. Evidence has been provided to the OIG to demonstrate closure.\n\nRecommendation 9\n        \xe2\x80\xa2   A recommendation for revision to our duplicate editing logic will be presented internally to our\n            policy area for review.\n        \xe2\x80\xa2   The recommendation will be presented to the policy council at their March meeting. Target\n            date: 3/30/13\n        \xe2\x80\xa2   Any additional management action plans will be reviewed with the OIG based upon the\n            review committees decision.\n\x0c'